Legal claims defining the scope of protection, as filed with the USPTO.
1. An apparatus to be used in association with a host, the apparatus comprising: circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of: the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising: user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of: activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e): (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one virtual trusted platform module (TPM) that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
2. The apparatus of claim 1 , wherein: the user authorization determination is based, at least in part, upon at least one of: biometric information associated with the at least one user; at least one challenge response provided by the at least one user; and data provided by at least one near field communication device associated with the at least one user.
3. The apparatus of claim 1 , wherein: the at least one security-related component comprises another TPM; the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU; the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the another TPM.
4. The apparatus of claim 3 , wherein: after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the another TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the another TPM.
5. The apparatus of claim 3 , wherein: after the circuitry determines, at least in part, that the physical presence of the at least one user in the one or more regions has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the another TPM.
6. Non-transitory computer-readable memory storing one or more instructions that when executed by a machine result in performance of operations comprising: at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) to execute, at least in part, at least one host operating system (OS) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of: the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions to perform, at least in part, the at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising: user authorization determination in response, at least in part to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of: activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e): (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
7. The computer-readable memory of claim 6 , wherein: the user authorization determination is based, at least in part, upon at least one of: biometric information associated with the at least one user; at least one challenge response provided by the at least one user; and data provided by at least one near field communication device associated with the at least one user.
8. The computer-readable memory of claim 6 , wherein: the at least one security-related component comprises another TPM; the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU; the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the another TPM.
9. The computer-readable memory of claim 8 , wherein: after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the another TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the another TPM.
10. The computer-readable memory of claim 8 , wherein: after the circuitry determines, at least in part, that the physical presence of the at least one user in the one or more regions has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the another TPM.
11. A method for use in association with a host, the method comprising: at least one operation performed, at least in part, by circuitry, the circuitry to be comprised, at least in part, in the host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one more chipsets comprising one or more embedded controllers, the one more CPU to execute, at least in part, at least one host operating system (OS), the circuitry being comprised, at least in part, in at least one of: the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions to perform, at least in part, the at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising: user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased, wherein the indication is based at least in part upon at least one of: activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e): (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
12. The method of claim 11 , wherein: the user authorization determination is based, at least in part, upon at least one of: biometric information associated with the at least one user; at least one challenge response provided by the at least one user; and data provided by at least one near field communication device associated with the at least one user.
13. The method of claim 11 , wherein: the at least one security-related component comprises another TPM; the circuitry is to store, at least in part, user authentication information and user privilege information in a manner that is inaccessible to the at least one host OS and at least one host CPU; the user authentication determination is based at least in part upon whether the user authentication information matches, at least in part, other user-associated information provided in response, at least in part, to at least one challenge by the circuitry; and after the circuitry determines, at least in part, that the at least one user is authorized to use, at least in part, the host, the circuitry is to determine, based at least in part, upon the user privilege information, whether the at least one user is authorized to issue the at least one command to the another TPM.
14. The method of claim 13 , wherein: after the circuitry determines, at least in part, that the at least one user is authorized to issue the at least one command to the another TPM, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in assertion of a physical user presence signal of the another TPM.
15. The method of claim 13 , wherein: after the circuitry determines, at least in part, that the physical presence of the at least one user in the one or more regions has ceased, the circuitry is to issue, at least in part, a general purpose input/output signal that results, at least in part, in de-assertion of a physical user presence signal of the another TPM.
16. An apparatus, comprising: logic, at least partially comprising hardware, to be comprised, at least in part, in a host, the host including at least one host central processing unit (CPU) and one or more chipsets, the one or more chipsets comprising one or more embedded controllers, the one or more CPU to execute, at least in part, at least one host operating system (OS), the logic being comprised, at least in part, in at least one of: the one or more embedded controllers; and one or more hardware partitions comprised in the one or more CPU; the at least one of the one or more embedded controllers and the one or more hardware partitions being capable of performing, at least in part, at least one operation in isolation from interference from, access by, and control by the at least one host OS, the at least one operation comprising: user authorization determination in response, at least in part, to indication of physical presence of at least one user within one or more geographic regions comprising the host, the user authorization determination to determine, at least in part, whether the at least one user is authorized to issue at least one command to at least one security-related component of the host, wherein the indication is based at least in part upon at least one of: activation of at least one secure attention key of the host by the at least one user; provision of at least one general purpose input/output (GPIO) signal to the circuitry; detection of at least one physical token associated with the at least one user; and detection of at least one physical characteristic of the at least one user; and user presence determination to determine, at least in part, whether, after the indication has been provided, the physical presence of the at least one user in the one or more regions has ceased; wherein the circuitry is to satisfy at least one of the following subparagraphs (a) to (e): (a) the circuitry is to execute, at least in part, at least one software agent to perform, at least in part, at least one of the user authorization determination and the user presence determination, and the at least one agent also is to establish, at least in part, at least one secure communication channel with the at least one security-related component; (b) the at least one software agent is to be comprised, at least in part, in a virtual machine manager; (c) the at least one security-related component comprises at least one TPM that is to be implemented, at least in part, by the virtual machine manager; (d) the at least one virtual TPM comprises a plurality of virtual TPM; and (e) the circuitry is comprised, at least in part, in at least one device that is capable of being removably communicatively coupled to the host.
Unknown
January 5, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.